Is it possible to beat spam?

Spam levels have dropped globally and it’s not a seasonal fluctuation. There is indeed less spam now in e-mail traffic. Can spam ever be beaten altogether?

Kaspersky Lab has just released its monthly report on spam and it shows that in June, the percentage of spam in email traffic averaged 64.8%, 5% less than in May. According to May figures, the amount of spam has also decreased compared to April. Spring-Summer season is always somewhat of a lull period. Then in September it spikes. Interestingly enough, e-mail spam levels today are much lower than a few years ago: back in 2009 it occasionally reached 91% of all traffic. Today’s 64.8% looks almost humble, even though it’s still way above 50%. A question arises: Is it at all possible to beat spam?

First of all, I’d like to limit myself with an issue of email spam. Because there are many other types of it: every messaging platform, every social media – blogs, newsgroups, forums, etc., online games with in-game chats, they are all used for posting multiple, unsolicited messages of advertising or that are scam in nature. And beating them is just the very same “arms race” between the service provider and spammers (and their bots), as everywhere else.

So – can we beat e-mail spam? The short answer is: unlikely. Doesn’t mean impossible, though, because indeed for the last five years the percentage of unsolicited messages dropped significantly – from slightly over 90% to current ~70%. The question is how had it been achieved.

Apparently, there are a handful of factors present. First, all e-mail providers offer some kind of spam filters today. We can question how equal are they in their efficiency, but it is true that any “respectable” anti-spam solution comprises a lot of expertise and a lot of technologies such as Bayesian filtering, denylists, DNS-based and fuzzy-checksum-based spam detection, online databases, etc.

But the figures show that these technologies are not enough to beat spam entirely. Because, again, it is an endless arms race: security experts try to find the way to filter spam out and spammers try to make sure their messages evade these filters.

Lately, though, it started looking as though spammers became lazy and complacent. Their content had become repetitive, generic and mediocre. Perhaps it is also a reason for the 20+ drop of the spam percentage over the last few years?

The third possible reason is that the users themselves became more experienced en masse, and your average MLM schemes or Nigerian scams don’t work so well any longer? After all, there’s no spam filter that can best a human brain.



Yet another question is what should we consider “victory”? For the users in general and for the businesses it is a lack of whatever kinds of spam is in their inboxes. No advertising, and no malware, please. Given how much of the spam is “loaded” with Trojans, spam is an immediate security problem.

Email providers (including free services, such as Google Gmail, for instance) employ filters that do their job fairly well. Even if a spam message isn’t killed before getting into your inbox, it ends up in “junk” folder, and generally doesn’t bother the end user.

ISPs, however, have to deal with raw traffic and invest heavily in their infrastructure so that the junk doesn’t consume all of their bandwidth; they would just love to decrease the amount of spam which harms them in quite a direct way, and any serious decrease in the amount of spam they have to handle would make them feel much better.

For security vendors beating spam is not just about creating some super-efficient spam filters, but also killing the botnets that are relaying unsolicited emails in Chthonic amounts. And that is another story.

Of course, anyone would dream about some ultra-efficient spam-killing artificial intelligence that won’t let anything spam-like slip through. But for now it’s a fantasy.

The problem is that spamming is still a lucrative business on its own. Almost zero expenses, potentially big returns, bigger yet if they are “loaded” with phishing, scam and/or malware, since cybercriminals surely pay their fee to the spammers for the services provided. So beating the spam is just a part of beating the cybercrime as a whole.

And even if we put aside malware seeding and botnets, spam is still lucrative since people still get “seduced” by spammers and their adverts of enlargement pills and fake Breguets and diplomas.

As long as they do, spam stays.